Security Workshop (Part 2) - Apan

bubblesradiographerServers

Dec 4, 2013 (3 years and 9 months ago)

88 views

Network Security
Workshop

BUSAN 2003

Saravanan Kulanthaivelu

svanan@nrg.cs.usm.my

Security Audit


"The world isn

t run by weapons anymore, or
energy, or money. It

s run by little ones and
zeros, little bits of data... There

s a war out
there... and it

s not about who

s got the most
bullets. It

s about who controls the
information.




Federation of American Scientists
-

Intelligence Resource Program

Workshop Outline (2)


Security Audit


Intrusion Detection


Incident Response

FAQ


We already have firewalls in place. Isn't
that enough?


We did not realize we could get security
audits. Can you really get security audits,
just like financial audits?


We have already had a security audit.
Why do we need another one?

Answers


Firewalls and other devices are simply tools to
help provide security. They do not, by
themselves, provide security. Using a castle as
an analogy, think of firewalls and other such
tools as simply the walls and watch towers.
Without guards, reports, and policies and
procedures in place, they provide little
protection.


Security audits, like financial audits should be
performed on a regular basis.

Security Audit
-
Definitions


A
security audit

is a policy
-
based assessment of
the procedures and practices of a site, assessing
the level of risk created by these actions


A assessment process, which will develop
systems and procedures within an organization,
create awareness amongst the employees and
users and ensure compliance with legislation
through periodic checking of processes,
constituents and documentation.


Why Audit?


Determine Vulnerable Areas


Obtain Specific Security Information


Allow for Remediation


Check for Compliance


Ensure Ongoing Security


To ensure that the site’s
networks and systems are
efficient and foolproof

Who needs security auditing?


A security audit is necessary for every
organization using the Internet.


A ongoing process that must be tried
and improved to cope up with the
ever
-
changing and challenging
threats.


Should not be feared of being audited.
Audit is good practice.



Audit Phases


External Audit


Public information collection


External Penetration


Non
-
destructive test


Destructive test


Internal Audit


Confidential information collection


Security policy reviewing


Interviews


Environment and Physical Security


Internal Penetration


Change Management


Reporting

Audit Phases
-
External


Hackers view of the network


Simulate attacks from outside


Point
-
in
-
time snapshots


Can NEVER be 100%

External Audit
-
Public
Information Gathering


Search for information about the target and its
critical services provided on the Internet.


Network Identification


Identify IP addresses range owned/used


Network Fingerprinting


Try to map the network topology


Perimeter models identifications


OS & Application fingerprinting


OS finger printing


Port scanning to define services and application


Banner grabbing

External Audit
-

Some
Commandments


Do not make
ANY

changes to the systems or
networks


Do not impact processing capabilities by
running scanning/ testing tools during business
hours or during peak or critical periods


Always get permission before testing


Be confidential and trustworthy


Do not perform unnecessary attacks

External Audit
-
Penetration
Test


Plan the penetration process


Search for vulnerabilities for information gathered and obtain
the exploits


Conduct vulnerabilities assessments (ISO 17799)


Non
-
destructive test


Scans / test to confirm vulnerabilities


Make SURE not harmful


Destructive test


Only for short term effect (DDOS….)


Done from various locations


Done only off
-
peak hours to confirm effect


Record everything


Save snapshots and record everything for every test done even
it returned false result


Watch out for HONEYPOTS

Internal Audit


Conducted at the premises


A process of hacking with full knowledge of the
network topology and other crucial
information.


Also to identify threats within the organization


Should be 100% accurate.


Must be cross checked with external
penetration report.

Internal Audit
-
Policy review



Everything
starts with the
security policy


If there is no
policy, there is
not need of
security audit.


Policy

Standards

Procedures, Guidelines

& Practices

Internal Audit
-
Policy review


Policies are studied properly and classified


Identify any security risk exist within the policy


Interview IT staffs to gain proper
understanding of the policies


Also to identify the level of implementation of
the policies.

Internal Audit
-
Information
gathering


Discussion of the network topology


Placement of perimeter devices of routers and
firewalls


Placement of mission critical servers


Existence of IDS


Logging

Internal Audit
-
Environment &
Physical Security


Locked / combination / card swipe doors


Temperature / humidity controls


Neat and orderly computing rooms


Sensitive data or papers laying around?


Fire suppression equipment


UPS (Uninterruptible power supply)


Section 8.1 of the ISO 17799
document defines the concepts of
secure area, secure perimeter and
controlled access to such areas.

Internal Audit
-
Penetration

For Internal penetration test, it can divided to few
categories


Network


Perimeter devices


Servers and OS


Application and services


Monitor and response


Find vulnerabilities and malpractice in each
category

Internal Audit
-
Network


Location of devices on the network


Redundancy and backup devices


Staging network


Management network


Monitoring network


Other network segmentation


Cabling practices


Remote access to the network


Internal Audit
-
Perimeter Devices

Check configuration of perimeter devices like


Routers


Firewalls


Wireless AP/Bridge


RAS servers


VPN servers

Test the ACL and filters like egress and ingress

Firewall rules

Configuration Access method

Logging methods

Internal Audit
-
Server & OS


Identify mission critical servers like
DNS,Email and others..


Examine OS and the patch levels


Examine the ACL on each servers


Examine the management control
-
acct &
password


Placement of the servers


Backup and redundancy


Internal Audit
-
Application &
Services

Identify services and application running on the
critical mission servers.Check vulnerabilities for the
versions running.Remove unnecessary
services/application


DNS


Name services(BIND)


Email


Pop3,SMTP


Web/Http


SQL


Others


Internal Audit
-
Monitor &
Response

Check for procedures on


Event Logging and Audit


What are logged?


How frequent logs are viewed?


How long logs are kept?


Network monitoring


What is monitored?


Response Alert?


Intrusion Detection


IDS in place?


What rules and detection used?


Incident Response


How is the response on the attack?


What is recovery plan?


Follow up?

Internal Audit
-
Analysis and
Report


Analysis result


Check compliance with security policy


Identify weakness and vulnerabilities


Cross check with external audit report


Report
-

key to realizing value


Must be 2 parts


Not technical (for management use)


Technical (for IT staff)


Methodology of the entire audit process


Separate Internal and External


State weakness/vulnerabilities


Suggest solution to harden security


Tools

More Tools….


Inetmon


Firewalk


Dsniff


RafaleX


NetStumbler


RAT (Router Audit Tool)
-
CIS


Retina scan tools


MBSA

Nmap
-
Defacto Standard


Even in matrix , nmap was used


Intrusion Detection


Intrusion Detection is the process of monitoring
computer networks and systems for violations
of security.


An Intrusion


any set of actions that attempt
to compromise the integrity,confidentially or
availability of a resource.


All intrusion are defined relative to a security
policy


Security policy defines what is permitted and what
is denied on a network/system


Unless you know what is and is not permitted, its
pointless to attempt to catch intrusion

Intrusion Detection


Manual Detection


Check the log files for unusual behavior


Check the setuid and setgid of files


Check important binaries


Check for usage of sniffing programs


Automatic (partially??)


Intrusion Detection Systems

Intrusion Detection Systems


Goal


To detect intrusion real time and respond to it


False positive


No intrusion but alarm


Too many make your life miserable


False negative


Intruder not detected


System is compromised



Intrusion Detection
-
Detection
Schemes


Misuse Detection


The most common technique, where incoming/outgoing traffic is
compared against well
-
known 'signatures'. For example, a large
number of failed TCP connections to a wide variety of ports
indicate somebody is doing a TCP port scan


Anomaly Detection


Uses statistical analysis to find changes from baseline behavior
(such as a sudden increase in traffic, CPU utilization, disk activity,
user logons, file accesses, etc.). This technique is weaker than
signature recognition, but has the benefit that can catch attacks for
which no signature exists. Anomaly detection is mostly a
theoretical at this point and is the topic of extensive research



Intrusion Detection
-
Detection


Misuse Detection


Detect Known Attack Signatures


Advantage:


Low False Positive Rate


Drawbacks:


Only Known Attacks


Costs for Signature Management


Anomaly Detection


Learn Normal Profiles from User and System Behavior


Detect Anomaly


Advantage


Detect Unknown Attacks


Drawbacks


Difficulty of Profiling


Profile can be controlled by intruders


High false positive rate



Network IDS


Uses network packets as the data source


Searches for patterns in packets


Searches for patterns of packets


Searches for packets that shouldn't be there


May ‘understand’ a protocol for effective
pattern searching and anomaly detection


May passively log, alert with
SMTP/SNMP or have real
-
time GUI

Network IDS Strength


Lower cost of ownership


Fewer detection points required


Greater view


More manageable


Detects attacks that host
-
based systems miss


IP based Denial of Service


Packet or Payload Content


More difficult for an attacker to remove evidence


Uses live network traffic


Captured network traffic

Network IDS Strength


Real time detection and response


Faster notification and responses


Can stop before damage is done (TCP reset)


Detects unsuccesful attacks and malicious intent


Outside a DMZ


See attempts blocked by firewall


Critical information obtained can be used on policy
refinement


Operating system independence


Does not require information from the target OS


Does not have to wait until the event is logged


No impact on the target

Network IDS Limitations


Obtaining packets
-

topology & encryption


Number of signatures


Quality of signatures


Performance


Network session integrity


Understanding the observed protocol


Disk storage

Host Based IDS


Signature log analysis


application and system


File integrity checking


MD5 checksums


Enhanced Kernel Security


API access control


Stack security


Some products listen to port activity and alert
administrator when specific ports are
accessed

Host IDS Strength


Verifies success or failure of an attack


Log verification


Monitors specific system activities


File access


Logon / Logoff activity


Account changes


Policy changes


Detects attacks that network
-
based IDS may miss


Keyboard attacks


Brute
-
Force logins

Host Based IDS Limitations


Places load on system


Disabling system logging


Kernel modifications to avoid file integrity
checking (and other stuff)


Management overhead


Network IDS Limitations

Characteristic of a Good IDS


Impose minimal overhead


Does not slowdown the system


Observe deviations from normal behavior


Easily tailored to any system


Cope with changing system behavior over
time as applications are being added


High adaptation

Network Honeypots


Sacrificial system(s) or sophisticated
simulations


Any traffic to the honeypot is considered
suspicious


If a scanner bypassed the NIDS, HIDS and
firewalls, they still may not know that a
Honeypot has been deployed

Network Honeypots

Honeypot

HTTP

DNS

Firewall

Some IDS


Commercial


Real Secure by ISS


VCC/Tripwire TM


CMDS by SAIC


NetRanger by Wheelgroup


Freeware/Opensource


Snort (www.snort.org)

Incident Response


Incident: An action likely to lead to
grave consequences


Data loss may lead to commercial loss.


Confidentiality breached.


Political issues…


Network breakdown lead to service and
information flow disruption.


Many more..


Incident Response


Response: An act of responding.


Something constituting a reply or a reaction.


The activity or inhibition of previous activity of an organism or
any of its parts resulting from stimulation


The output of a transducer or detecting device resulting from a
given input.


Ideally Incident Response would be a set of policies that allow an
individual or individuals to react to an incident in an efficient and
professional manner thereby decreasing the likelihood of grave
consequences.



ISO 17799


Outlines Comprehensive Incident Response and Internal
Investigation Procedures


Detailed Provisions on Computer Evidence Preservation and
Handling


Minimize overall impact
.


Hide from public scrutiny.


Stop further progression.


Involve Key personnel.


Control situation.


Incident Response

-
Purpose

Minimize overall impact
.

Recover Quickly & Efficiently.


Respond as if going to prosecute.


If possible replace system with new one.


Priority one, business back to normal.


Ensure all participants are notified.


Record everything.

Incident Response

-
Purpose

Minimize overall impact
.

Recover Quickly & Efficiently.

Secure System.


Lock down all known avenues of attack.


Assess system for unseen vulnerabilities.


Implement proper auditing.


Implement new security measures.


Incident Response

-
Purpose

Minimize overall impact
.

Recover Quickly & Efficiently.

Secure System.

Follow
-
up (A continuous process)


Ensure that all systems are secure.


Continue prosecution.


Securely store all evidence and notes.


Distribute lessons learned.

Incident Response

-
Purpose

Incident Verification


How are we certain that an incident
occurred?


Verify the Incident!


Where to find information?


Intrusion Logs


Firewall Logs


Interviews


Emails, Network Admin, Users, ISP, etc…


Verification: What do we
know?


Three situations


1. Verification without touching the system


2. Verification by touching the system
minimally. You have a clue or two where to
look.


3. Verification by full analysis of live system
to find any evidence that an incident has
occurred.

Secure Incident Scene


What exactly does this mean?


Limit the amount of activity on the system to
as little as possible


Limit damage by isolating


ONE person perform actions


Limit affecting the crime environment


Record your actions


Preserve Everything!


Anything and everything you do will
change the state of the system


POWER OFF? Changes it.


Leave it plugged in? Changes it.


Obtaining a backup will change the system


Unplug the network? Changes it.


Even
Doing Nothing

will ALSO change the
state of the system.

Incident Scene Snapshot


Record state of computer


Photos, State of computer, What is on the screen?


What is obviously running on the screen?


Xterm?


X
-
windows?


Should you port scan the affected computer?


Pros: You can see all active and listening ports


Cons: It affects the computer and some backdoors log how
many connections come into them and could tip off the bad
guy

Unplug power from system?


This method may be the most damaging to
effective analysis though there are some
benefits as well


Benefits include that you can now move the
system to a more secure location and that you
can physically remove the hard drive from the
system


Cons… you lose evidence of all running
processes and memory

Unplug from Network?


Unplug from the network?


Unplug it from the network and plug the
distant end into a small hub that is not
connected to anything else.


Most systems will write error messages into
log files if not on a network.


If you make the computer think it is still on
a network, you will succeed in limiting the
amount of changes to that system.

Backup or Analyze?


Should you backup the system first?


Should you find the extent of the damage?


Set up in policy for your incident response:


It depends on the system and what you need it for.


To get BEST evidence BACKUP first at the cost of
time to get answers


To get FAST answers ANALYZE first at the cost of
getting best evidence


Label systems with priority. Some will need answers
quicker than your ability to get best evidence.

Finding Clues


Once backup is done start looking for clues


Be careful to avoid tampering with the
system when it is in the middle of a backup.


Even though the emphasis might be to
quickly assess the WHAT of a situation, if
you try and answer that question without
preserving the scene of the crime you will
inadvertently erase the evidence you seek


Be patient. It’s meticulous



Finding Clues


What are we really looking for?


DATES and TIMES


TROJAN BINARIES


HIDDEN DIRECTORIES


OUT OF PLACE FILES OR SOCKETS


ABNORMAL PROCESSES


We need to find one clue, and once we do,
everything else almost always falls into
place

What Next?


Prosecute??


Apply short
-
term solutions to contain
an intrusion


Eliminate all means of intruder access


Return systems to normal operation


Identify and implement security lessons
learned


Useful Links


http://www.securityfocus.com


http://packetstormsecurity.org


http://icat.nist.gov/icat.cfm


http://wiretrip.net


http://www.guninski.com/


http://nsfocus.com

Incident Response Resources


Incident Response, Electronic Discovery, and Computer Forensics,
www.incident
-
response.org


Security Focus,
www.securityfocus.com


The Federal Computer Incident Response Center (FedCIRC) ,
www.fedcirc.gov


The Canadian Office of Critical Infrastructure Protection and Emergency
Preparedness

www.ocipep.gc.ca


Incident Handling Links & Documents (75 links)
http://www.honeypots.net/incidents/links


SEI: Handbook for Computer Security Incident Response Teams

http://www.sei.cmu.edu/pub/documents/98.reports/pdf/98hb001.pdf


CERT/CC: Computer Security Incident Response


http://www.cert.org/csirts/



CERT/CC: Responding to Intrusions


http://www.cert.org/security
-
improvement/modules/m06.html



AuCERT: Forming an Incident Response Team


http://www.auscert.org.au/render.html?it=2252&cid=1920



SANS: S.C.O.R.E

http://www.sans.org/score/


White Papers


http://www.ins.com/knowledge/whitepapers.
asp

Information Security Management: Understanding
ISO 17799


Microsoft IIS Unicode Exploit


Worrisome New Windows Attacks


PKI: How it Works


IPSec: What Makes it Work


Funny things happen! Beware

Thank You